--- /dev/null
+#include "k5-int.h"
+#include "shs.h"
+#include "des_int.h" /* we cheat a bit and call it directly... */
+
+/* Windows needs to these prototypes for the assignment below */
+
+krb5_error_code
+krb5_sha_crypto_sum_func
+ PROTOTYPE((krb5_pointer in,
+ size_t in_length,
+ krb5_pointer seed,
+ size_t seed_length,
+ krb5_checksum FAR *outcksum));
+
+krb5_error_code
+krb5_sha_crypto_verify_func
+ PROTOTYPE((krb5_checksum FAR *cksum,
+ krb5_pointer in,
+ size_t in_length,
+ krb5_pointer seed,
+ size_t seed_length));
+
+static void
+krb5_sha_calculate_cksum(ctx, in, in_length, confound, confound_length)
+ SHS_INFO *ctx;
+ krb5_pointer in;
+ size_t in_length;
+ krb5_pointer confound;
+ size_t confound_length;
+{
+ shsInit(ctx);
+ if (confound && confound_length)
+ shsUpdate(ctx, confound, confound_length);
+ shsUpdate(ctx, in, in_length);
+ shsFinal(ctx);
+}
+
+static krb5_error_code
+shs_crypto_sum_func(in, in_length, seed, seed_length, outcksum)
+ krb5_pointer in;
+ size_t in_length;
+ krb5_pointer seed;
+ size_t seed_length;
+ krb5_checksum FAR *outcksum;
+{
+ krb5_octet outtmp[NIST_SHA_DES3_CKSUM_LENGTH+
+ NIST_SHA_DES3_CONFOUND_LENGTH];
+ krb5_octet *input = (krb5_octet *)in;
+ krb5_encrypt_block eblock;
+ krb5_keyblock keyblock;
+ krb5_error_code retval;
+ mit_des3_cblock tmpkey;
+ size_t i;
+
+ SHS_INFO working;
+
+ /* Generate the confounder in place */
+ if (retval = krb5_random_confounder(NIST_SHA_DES3_CONFOUND_LENGTH,
+ outtmp))
+ return(retval);
+
+ /* Calculate the checksum */
+ krb5_sha_calculate_cksum(&working,
+ in,
+ in_length,
+ (krb5_pointer) outtmp,
+ (size_t) NIST_SHA_DES3_CONFOUND_LENGTH);
+
+ outcksum->checksum_type = CKSUMTYPE_NIST_SHA_DES3;
+ outcksum->length =
+ NIST_SHA_DES3_CKSUM_LENGTH + NIST_SHA_DES3_CONFOUND_LENGTH;
+
+ /* Now blast in the digest */
+ memset((char *)&outtmp[NIST_SHA_DES3_CONFOUND_LENGTH], 0,
+ NIST_SHA_DES3_CKSUM_LENGTH);
+ memcpy((char *)&outtmp[NIST_SHA_DES3_CONFOUND_LENGTH],
+ (char *)&working.digest[0], NIST_SHA_CKSUM_LENGTH);
+
+ /* Clean up the droppings */
+ memset((char *)&working, 0, sizeof(working));
+
+ /* Set up the temporary copy of the key (see RFC 1510 section 6.4.5) */
+ memset((char *) tmpkey, 0, sizeof(tmpkey));
+ for (i=0; (i<seed_length) && (i<sizeof(tmpkey)); i++)
+ ((krb5_octet *)tmpkey)[i] = (((krb5_octet *) seed)[i]) ^ 0xf0;
+
+ keyblock.length = sizeof(tmpkey);
+ keyblock.contents = (krb5_octet *) tmpkey;
+ keyblock.enctype = ENCTYPE_DES3_CBC_SHA;
+
+ if ((retval = mit_des3_process_key(&eblock, &keyblock)))
+ return retval;
+
+ /* now that we have computed the key schedules, zero the key as the IV */
+ memset((char *) tmpkey, 0, sizeof(tmpkey));
+
+ /* now encrypt it */
+ retval = mit_des3_cbc_encrypt((mit_des_cblock *)&outtmp[0],
+ (mit_des_cblock *)outcksum->contents,
+ NIST_SHA_DES3_CKSUM_LENGTH +
+ NIST_SHA_DES3_CONFOUND_LENGTH,
+ (struct mit_des_ks_struct *)eblock.priv,
+ ((struct mit_des_ks_struct *)eblock.priv)+1,
+ ((struct mit_des_ks_struct *)eblock.priv)+2,
+ keyblock.contents,
+ MIT_DES_ENCRYPT);
+
+ if (retval)
+ (void) mit_des_finish_key(&eblock);
+ else
+ retval = mit_des_finish_key(&eblock);
+
+ return retval;
+}
+
+static krb5_error_code
+shs_crypto_verify_func(cksum, in, in_length, seed, seed_length)
+ krb5_checksum FAR *cksum;
+ krb5_pointer in;
+ size_t in_length;
+ krb5_pointer seed;
+ size_t seed_length;
+{
+ krb5_octet outtmp[NIST_SHA_DES3_CKSUM_LENGTH +
+ NIST_SHA_DES3_CONFOUND_LENGTH];
+ krb5_octet *input = (krb5_octet *)in;
+ krb5_encrypt_block eblock;
+ krb5_keyblock keyblock;
+ krb5_error_code retval;
+ mit_des3_cblock tmpkey;
+ size_t i;
+
+ SHS_INFO working;
+
+ retval = 0;
+ if (cksum->checksum_type == CKSUMTYPE_NIST_SHA_DES3) {
+ if (cksum->length == (NIST_SHA_DES3_CKSUM_LENGTH +
+ NIST_SHA_DES3_CONFOUND_LENGTH)) {
+ /*
+ * If we're verifying the correct implementation, then we have
+ * to do a little more work because we must decrypt the checksum
+ * because it contains the confounder in it. So, figure out
+ * what our key variant is and then do it!
+ */
+
+ /* Set up the variant of the key (see RFC 1510 section 6.4.5) */
+ memset((char *) tmpkey, 0, sizeof(tmpkey));
+ for (i=0; (i<seed_length) && (i<sizeof(tmpkey)); i++)
+ ((krb5_octet *)tmpkey)[i] = (((krb5_octet *) seed)[i]) ^ 0xf0;
+
+ keyblock.length = sizeof(tmpkey);
+ keyblock.contents = (krb5_octet *) tmpkey;
+ keyblock.enctype = ENCTYPE_DES3_CBC_SHA;
+
+ if ((retval = mit_des3_process_key(&eblock, &keyblock)))
+ return retval;
+
+ /* now zero the key for use as the IV */
+ memset((char *) tmpkey, 0, sizeof(tmpkey));
+
+ /* now decrypt it */
+ retval = mit_des3_cbc_encrypt((mit_des_cblock *)cksum->contents,
+ (mit_des_cblock *)&outtmp[0],
+ NIST_SHA_DES3_CKSUM_LENGTH +
+ NIST_SHA_DES3_CONFOUND_LENGTH,
+ (struct mit_des_ks_struct *)
+ eblock.priv,
+ ((struct mit_des_ks_struct *)
+ eblock.priv) + 1,
+ ((struct mit_des_ks_struct *)
+ eblock.priv) + 2,
+ keyblock.contents,
+ MIT_DES_DECRYPT);
+ if (retval)
+ (void) mit_des_finish_key(&eblock);
+ else
+ retval = mit_des_finish_key(&eblock);
+ if (retval) return retval;
+
+ /* Now that we have the decrypted checksum, try to regenerate it */
+ krb5_sha_calculate_cksum(&working,
+ in,
+ in_length,
+ (krb5_pointer) outtmp,
+ (size_t) NIST_SHA_DES3_CONFOUND_LENGTH);
+
+ /* Compare the checksums */
+ if (memcmp((char *) &outtmp[NIST_SHA_DES3_CONFOUND_LENGTH],
+ (char *) &working.digest[0],
+ NIST_SHA_CKSUM_LENGTH))
+ retval = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+ else
+ retval = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+ else
+ retval = KRB5KRB_AP_ERR_INAPP_CKSUM;
+
+ /* Clean up droppings */
+ memset((char *)&working, 0, sizeof(working));
+ return(retval);
+}
+
+krb5_checksum_entry nist_sha_des3_cksumtable_entry =
+{
+ 0,
+ shs_crypto_sum_func,
+ shs_crypto_verify_func,
+ NIST_SHA_DES3_CKSUM_LENGTH + NIST_SHA_DES3_CONFOUND_LENGTH,
+ 1, /* is collision proof */
+ 1, /* uses key */
+};
--- /dev/null
+#include <sys/types.h>
+#include <netinet/in.h>
+#include "shs.h"
+
+/* The SHS f()-functions. The f1 and f3 functions can be optimized to
+ save one boolean operation each - thanks to Rich Schroeppel,
+ rcs@cs.arizona.edu for discovering this */
+
+#define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */
+#define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */
+#define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */
+#define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */
+
+/* The SHS Mysterious Constants */
+
+#define K1 0x5A827999L /* Rounds 0-19 */
+#define K2 0x6ED9EBA1L /* Rounds 20-39 */
+#define K3 0x8F1BBCDCL /* Rounds 40-59 */
+#define K4 0xCA62C1D6L /* Rounds 60-79 */
+
+/* SHS initial values */
+
+#define h0init 0x67452301L
+#define h1init 0xEFCDAB89L
+#define h2init 0x98BADCFEL
+#define h3init 0x10325476L
+#define h4init 0xC3D2E1F0L
+
+/* Note that it may be necessary to add parentheses to these macros if they
+ are to be called with expressions as arguments */
+
+/* 32-bit rotate left - kludged with shifts */
+
+#define ROTL(n,X) ( ( ( X ) << n ) | ( ( X ) >> ( 32 - n ) ) )
+
+/* The initial expanding function. The hash function is defined over an
+ 80-word expanded input array W, where the first 16 are copies of the input
+ data, and the remaining 64 are defined by
+
+ W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ]
+
+ This implementation generates these values on the fly in a circular
+ buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this
+ optimization.
+
+ The updated SHS changes the expanding function by adding a rotate of 1
+ bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor
+ for this information */
+
+#ifdef NEW_SHS
+ #define expand(W,i) ( W[ i & 15 ] = ROTL( 1, ( W[ i & 15 ] ^ W[ i - 14 & 15 ] ^ \
+ W[ i - 8 & 15 ] ^ W[ i - 3 & 15 ] ) ) )
+#else
+ #define expand(W,i) ( W[ i & 15 ] ^= W[ i - 14 & 15 ] ^ W[ i - 8 & 15 ] ^ W[ i - 3 & 15 ] )
+#endif /* NEW_SHS */
+
+/* The prototype SHS sub-round. The fundamental sub-round is:
+
+ a' = e + ROTL( 5, a ) + f( b, c, d ) + k + data;
+ b' = a;
+ c' = ROTL( 30, b );
+ d' = c;
+ e' = d;
+
+ but this is implemented by unrolling the loop 5 times and renaming the
+ variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration.
+ This code is then replicated 20 times for each of the 4 functions, using
+ the next 20 values from the W[] array each time */
+
+#define subRound(a, b, c, d, e, f, k, data) \
+ ( e += ROTL( 5, a ) + f( b, c, d ) + k + data, b = ROTL( 30, b ) )
+
+/* Initialize the SHS values */
+
+void shsInit(shsInfo)
+ SHS_INFO *shsInfo;
+{
+ /* Set the h-vars to their initial values */
+ shsInfo->digest[ 0 ] = h0init;
+ shsInfo->digest[ 1 ] = h1init;
+ shsInfo->digest[ 2 ] = h2init;
+ shsInfo->digest[ 3 ] = h3init;
+ shsInfo->digest[ 4 ] = h4init;
+
+ /* Initialise bit count */
+ shsInfo->countLo = shsInfo->countHi = 0;
+}
+
+/* Perform the SHS transformation. Note that this code, like MD5, seems to
+ break some optimizing compilers due to the complexity of the expressions
+ and the size of the basic block. It may be necessary to split it into
+ sections, e.g. based on the four subrounds
+
+ Note that this corrupts the shsInfo->data area */
+
+static void SHSTransform KRB5_PROTOTYPE((LONG *digest, LONG *data));
+
+static
+void SHSTransform(digest, data)
+ LONG *digest;
+ LONG *data;
+{
+ LONG A, B, C, D, E; /* Local vars */
+ LONG eData[ 16 ]; /* Expanded data */
+
+ /* Set up first buffer and local data buffer */
+ A = digest[ 0 ];
+ B = digest[ 1 ];
+ C = digest[ 2 ];
+ D = digest[ 3 ];
+ E = digest[ 4 ];
+ memcpy( eData, data, SHS_DATASIZE );
+
+ /* Heavy mangling, in 4 sub-rounds of 20 interations each. */
+ subRound( A, B, C, D, E, f1, K1, eData[ 0 ] );
+ subRound( E, A, B, C, D, f1, K1, eData[ 1 ] );
+ subRound( D, E, A, B, C, f1, K1, eData[ 2 ] );
+ subRound( C, D, E, A, B, f1, K1, eData[ 3 ] );
+ subRound( B, C, D, E, A, f1, K1, eData[ 4 ] );
+ subRound( A, B, C, D, E, f1, K1, eData[ 5 ] );
+ subRound( E, A, B, C, D, f1, K1, eData[ 6 ] );
+ subRound( D, E, A, B, C, f1, K1, eData[ 7 ] );
+ subRound( C, D, E, A, B, f1, K1, eData[ 8 ] );
+ subRound( B, C, D, E, A, f1, K1, eData[ 9 ] );
+ subRound( A, B, C, D, E, f1, K1, eData[ 10 ] );
+ subRound( E, A, B, C, D, f1, K1, eData[ 11 ] );
+ subRound( D, E, A, B, C, f1, K1, eData[ 12 ] );
+ subRound( C, D, E, A, B, f1, K1, eData[ 13 ] );
+ subRound( B, C, D, E, A, f1, K1, eData[ 14 ] );
+ subRound( A, B, C, D, E, f1, K1, eData[ 15 ] );
+ subRound( E, A, B, C, D, f1, K1, expand( eData, 16 ) );
+ subRound( D, E, A, B, C, f1, K1, expand( eData, 17 ) );
+ subRound( C, D, E, A, B, f1, K1, expand( eData, 18 ) );
+ subRound( B, C, D, E, A, f1, K1, expand( eData, 19 ) );
+
+ subRound( A, B, C, D, E, f2, K2, expand( eData, 20 ) );
+ subRound( E, A, B, C, D, f2, K2, expand( eData, 21 ) );
+ subRound( D, E, A, B, C, f2, K2, expand( eData, 22 ) );
+ subRound( C, D, E, A, B, f2, K2, expand( eData, 23 ) );
+ subRound( B, C, D, E, A, f2, K2, expand( eData, 24 ) );
+ subRound( A, B, C, D, E, f2, K2, expand( eData, 25 ) );
+ subRound( E, A, B, C, D, f2, K2, expand( eData, 26 ) );
+ subRound( D, E, A, B, C, f2, K2, expand( eData, 27 ) );
+ subRound( C, D, E, A, B, f2, K2, expand( eData, 28 ) );
+ subRound( B, C, D, E, A, f2, K2, expand( eData, 29 ) );
+ subRound( A, B, C, D, E, f2, K2, expand( eData, 30 ) );
+ subRound( E, A, B, C, D, f2, K2, expand( eData, 31 ) );
+ subRound( D, E, A, B, C, f2, K2, expand( eData, 32 ) );
+ subRound( C, D, E, A, B, f2, K2, expand( eData, 33 ) );
+ subRound( B, C, D, E, A, f2, K2, expand( eData, 34 ) );
+ subRound( A, B, C, D, E, f2, K2, expand( eData, 35 ) );
+ subRound( E, A, B, C, D, f2, K2, expand( eData, 36 ) );
+ subRound( D, E, A, B, C, f2, K2, expand( eData, 37 ) );
+ subRound( C, D, E, A, B, f2, K2, expand( eData, 38 ) );
+ subRound( B, C, D, E, A, f2, K2, expand( eData, 39 ) );
+
+ subRound( A, B, C, D, E, f3, K3, expand( eData, 40 ) );
+ subRound( E, A, B, C, D, f3, K3, expand( eData, 41 ) );
+ subRound( D, E, A, B, C, f3, K3, expand( eData, 42 ) );
+ subRound( C, D, E, A, B, f3, K3, expand( eData, 43 ) );
+ subRound( B, C, D, E, A, f3, K3, expand( eData, 44 ) );
+ subRound( A, B, C, D, E, f3, K3, expand( eData, 45 ) );
+ subRound( E, A, B, C, D, f3, K3, expand( eData, 46 ) );
+ subRound( D, E, A, B, C, f3, K3, expand( eData, 47 ) );
+ subRound( C, D, E, A, B, f3, K3, expand( eData, 48 ) );
+ subRound( B, C, D, E, A, f3, K3, expand( eData, 49 ) );
+ subRound( A, B, C, D, E, f3, K3, expand( eData, 50 ) );
+ subRound( E, A, B, C, D, f3, K3, expand( eData, 51 ) );
+ subRound( D, E, A, B, C, f3, K3, expand( eData, 52 ) );
+ subRound( C, D, E, A, B, f3, K3, expand( eData, 53 ) );
+ subRound( B, C, D, E, A, f3, K3, expand( eData, 54 ) );
+ subRound( A, B, C, D, E, f3, K3, expand( eData, 55 ) );
+ subRound( E, A, B, C, D, f3, K3, expand( eData, 56 ) );
+ subRound( D, E, A, B, C, f3, K3, expand( eData, 57 ) );
+ subRound( C, D, E, A, B, f3, K3, expand( eData, 58 ) );
+ subRound( B, C, D, E, A, f3, K3, expand( eData, 59 ) );
+
+ subRound( A, B, C, D, E, f4, K4, expand( eData, 60 ) );
+ subRound( E, A, B, C, D, f4, K4, expand( eData, 61 ) );
+ subRound( D, E, A, B, C, f4, K4, expand( eData, 62 ) );
+ subRound( C, D, E, A, B, f4, K4, expand( eData, 63 ) );
+ subRound( B, C, D, E, A, f4, K4, expand( eData, 64 ) );
+ subRound( A, B, C, D, E, f4, K4, expand( eData, 65 ) );
+ subRound( E, A, B, C, D, f4, K4, expand( eData, 66 ) );
+ subRound( D, E, A, B, C, f4, K4, expand( eData, 67 ) );
+ subRound( C, D, E, A, B, f4, K4, expand( eData, 68 ) );
+ subRound( B, C, D, E, A, f4, K4, expand( eData, 69 ) );
+ subRound( A, B, C, D, E, f4, K4, expand( eData, 70 ) );
+ subRound( E, A, B, C, D, f4, K4, expand( eData, 71 ) );
+ subRound( D, E, A, B, C, f4, K4, expand( eData, 72 ) );
+ subRound( C, D, E, A, B, f4, K4, expand( eData, 73 ) );
+ subRound( B, C, D, E, A, f4, K4, expand( eData, 74 ) );
+ subRound( A, B, C, D, E, f4, K4, expand( eData, 75 ) );
+ subRound( E, A, B, C, D, f4, K4, expand( eData, 76 ) );
+ subRound( D, E, A, B, C, f4, K4, expand( eData, 77 ) );
+ subRound( C, D, E, A, B, f4, K4, expand( eData, 78 ) );
+ subRound( B, C, D, E, A, f4, K4, expand( eData, 79 ) );
+
+ /* Build message digest */
+ digest[ 0 ] += A;
+ digest[ 1 ] += B;
+ digest[ 2 ] += C;
+ digest[ 3 ] += D;
+ digest[ 4 ] += E;
+}
+
+/* When run on a little-endian CPU we need to perform byte reversal on an
+ array of longwords. It is possible to make the code endianness-
+ independant by fiddling around with data at the byte level, but this
+ makes for very slow code, so we rely on the user to sort out endianness
+ at compile time */
+
+void longReverse( LONG *buffer, int byteCount )
+{
+ LONG value;
+ static int init = 0;
+
+ switch (init) {
+ case 0:
+ if (htonl(1) != 1) {
+ init=2;
+ break;
+ }
+ init=1;
+ /* fall through - MSB */
+ case 1:
+ return;
+ }
+
+ byteCount /= sizeof( LONG );
+ while( byteCount-- ) {
+ value = *buffer;
+ value = ( ( value & 0xFF00FF00L ) >> 8 ) | \
+ ( ( value & 0x00FF00FFL ) << 8 );
+ *buffer++ = ( value << 16 ) | ( value >> 16 );
+ }
+}
+
+/* Update SHS for a block of data */
+
+void shsUpdate(shsInfo, buffer, count)
+ SHS_INFO *shsInfo;
+ BYTE *buffer;
+ int count;
+{
+ LONG tmp;
+ int dataCount;
+
+ /* Update bitcount */
+ tmp = shsInfo->countLo;
+ if ( ( shsInfo->countLo = tmp + ( ( LONG ) count << 3 ) ) < tmp )
+ shsInfo->countHi++; /* Carry from low to high */
+ shsInfo->countHi += count >> 29;
+
+ /* Get count of bytes already in data */
+ dataCount = ( int ) ( tmp >> 3 ) & 0x3F;
+
+ /* Handle any leading odd-sized chunks */
+ if( dataCount )
+ {
+ BYTE *p = ( BYTE * ) shsInfo->data + dataCount;
+
+ dataCount = SHS_DATASIZE - dataCount;
+ if( count < dataCount )
+ {
+ memcpy( p, buffer, count );
+ return;
+ }
+ memcpy( p, buffer, dataCount );
+ longReverse( shsInfo->data, SHS_DATASIZE );
+ SHSTransform( shsInfo->digest, shsInfo->data );
+ buffer += dataCount;
+ count -= dataCount;
+ }
+
+ /* Process data in SHS_DATASIZE chunks */
+ while( count >= SHS_DATASIZE )
+ {
+ memcpy( shsInfo->data, buffer, SHS_DATASIZE );
+ longReverse( shsInfo->data, SHS_DATASIZE );
+ SHSTransform( shsInfo->digest, shsInfo->data );
+ buffer += SHS_DATASIZE;
+ count -= SHS_DATASIZE;
+ }
+
+ /* Handle any remaining bytes of data. */
+ memcpy( shsInfo->data, buffer, count );
+}
+
+/* Final wrapup - pad to SHS_DATASIZE-byte boundary with the bit pattern
+ 1 0* (64-bit count of bits processed, MSB-first) */
+
+void shsFinal(shsInfo)
+ SHS_INFO *shsInfo;
+{
+ int count;
+ BYTE *dataPtr;
+
+ /* Compute number of bytes mod 64 */
+ count = ( int ) shsInfo->countLo;
+ count = ( count >> 3 ) & 0x3F;
+
+ /* Set the first char of padding to 0x80. This is safe since there is
+ always at least one byte free */
+ dataPtr = ( BYTE * ) shsInfo->data + count;
+ *dataPtr++ = 0x80;
+
+ /* Bytes of padding needed to make 64 bytes */
+ count = SHS_DATASIZE - 1 - count;
+
+ /* Pad out to 56 mod 64 */
+ if( count < 8 )
+ {
+ /* Two lots of padding: Pad the first block to 64 bytes */
+ memset( dataPtr, 0, count );
+ longReverse( shsInfo->data, SHS_DATASIZE );
+ SHSTransform( shsInfo->digest, shsInfo->data );
+
+ /* Now fill the next block with 56 bytes */
+ memset( shsInfo->data, 0, SHS_DATASIZE - 8 );
+ }
+ else
+ /* Pad block to 56 bytes */
+ memset( dataPtr, 0, count - 8 );
+
+ /* Append length in bits and transform */
+ shsInfo->data[ 14 ] = shsInfo->countHi;
+ shsInfo->data[ 15 ] = shsInfo->countLo;
+
+ longReverse( shsInfo->data, SHS_DATASIZE - 8 );
+ SHSTransform( shsInfo->digest, shsInfo->data );
+}
projects / krb5.git / commitdiff